package jdbc;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;

/**
 * 预编译SQL语句
 * 当SQL语句中需要含有用户提供的数据时,为了避免因为拼接sql导致的注入攻击
 * 我们可以使用预编译SQL,先将数据部分用"?"占用
 */
public class JDBCDemo7 {
    public static void main(String[] args) {
        UserInfo userInfo = InputUtil.getInputObject(new UserInfo(),"欢迎登陆","登陆");
        try (Connection connection = DBUtil.getConnection();){
         String sql ="SELECT id,username,password,nickname,age " +
        "FROM userinfo " +
        "WHERE username=? AND password=?";
            PreparedStatement ps = connection.prepareStatement(sql);
            ps.setString(1,userInfo.getUsername());//问号1
            ps.setString(2,userInfo.getPassword());//问号2
            ResultSet rs = ps.executeQuery();
            if(rs.next()){
                System.out.println("登录成功");
            }else{
                System.out.println("登录失败");
            }
        } catch (SQLException e) {
            e.printStackTrace();
        }
    }
}
